Use after free and crash under special conditions in RPZ code
Summary
| CVE | CVE-2026-44608 |
|---|---|
| State | PUBLISHED |
| Assigner | NLnet Labs |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-05-20 10:16:28 UTC |
| Updated | 2026-05-20 22:52:48 UTC |
| Description | NLnet Labs Unbound 1.14.0 up to and including version 1.25.0 has a locking inconsistency vulnerability that when certain conditions are met (multi-threaded, RPZ XFR reload, RPZ zone with 'rpz-nsip'/'rpz-nsdname' triggers) it could result in heap use-after-free and eventual crash. An adversary can exploit the vulnerability if conditions are first met on a vulnerable Unbound, i.e., multi-threaded, an RPZ zone with 'rpz-nsip'/'rpz-nsdname' triggers and an ongoing XFR for that RPZ zone. Local RPZ files do not trigger the vulnerability. If the timing is right and an XFR happens at the same time another thread needs to read that RPZ zone, the reader may not hold the lock long enough and the thread applying the XFR may free objects that the reader is about to walk causing the use-after-free. Unbound 1.25.1 contains a patch with a fix to the locking code. |
Risk And Classification
Primary CVSS: v4.0 4.6 MEDIUM from [email protected]
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Amber
EPSS: 0.000530000 probability, percentile 0.166540000 (date 2026-05-27)
Problem Types: CWE-413 | CWE-413 CWE-413: Improper Resource Locking
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 4.0 | [email protected] | Secondary | 4.6 | MEDIUM | CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/C... |
| 4.0 | CNA | CVSS | 4.6 | MEDIUM | CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U... |
| 3.1 | [email protected] | Primary | 5.9 | MEDIUM | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H |
CVSS v4.0 Breakdown
Attack Vector
NetworkAttack Complexity
HighAttack Requirements
PresentPrivileges Required
NoneUser Interaction
NoneConfidentiality
NoneIntegrity
NoneAvailability
HighSub Conf.
NoneSub Integrity
NoneSub Availability
NoneCVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Amber
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
HighPrivileges Required
NoneUser Interaction
NoneScope
UnchangedConfidentiality
NoneIntegrity
NoneAvailability
HighCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
NVD Known Affected Configurations (CPE 2.3)
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | NLnet Labs | Unbound | affected 1.14.0 1.25.1 semver | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| www.nlnetlabs.nl/downloads/unbound/CVE-2026-44608.txt | [email protected] | www.nlnetlabs.nl | Mitigation, Vendor Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Qifan Zhang (Palo Alto Networks) (en)
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| CNA | 2026-04-28T00:00:00.000Z | Issue reported by Qifan Zhang |
| CNA | 2026-05-07T00:00:00.000Z | NLnet Labs shares patch |
| CNA | 2026-05-08T00:00:00.000Z | Qifan Zhang verifies patch |
| CNA | 2026-05-20T00:00:00.000Z | Fixes released with version 1.25.1 |
Solutions
CNA: This issue is fixed starting with version 1.25.1
There are currently no legacy QID mappings associated with this CVE.